An arrangement for connecting a mobile telecommunication sub-scriber to data services is shown in FIG. 1. In the figure, the subscriber has connected his computer PC (Personal Computer) to his GSM Mobile Station MS. The MS has established a connection to a Base Transceiver Station BTS of the GSM network. The BTS forwards the information sent by the MS to the Base Station Controller BSC, which in turn forwards the information to the Mobile Switching Center MSC. The MSC is connected to the private data network of the operator using the LAN access unit. In the private network, the Intelligent Data Agent IDA provides intelligence for purposes such as billing and the operation and maintenance of data connections. The private network is connected to other networks such as ATM (Asynchronous Trans-fer Mode), X.21, Frame Relay FR and Internet.
An arrangement whereby the subscriber uses the services provided by a server in another private network is shown in FIG. 2. According to the figure, the second private network is connected to the operator network via an arbitrating network or a plurality of arbitrating networks. When the private network is a private network of a company, for example, the security of the data connection from the subscriber to the server must be enforced. The GSM system provides authentication and secure data transmission between the mobile subscriber MS and the mobile switching center MSC.
In GSM, the authentication process is based on a challenge-response process, whereby the network sends the Subscriber Identity Module SIM installed in the mobile station a random challenge. The mobile station replies with a response according to calculations based on the random challenge and a secret key known only by the autheritication center of the network and the SIM. The response of the random challenge and the secret key is calculated in the authentication center also. If the responses calculated by the SIM and the authentication center are identical, mobile sub-scriber authenticity has been established by the authentication process.
Data transmission between the base station and the mobile station is encrypted with a secret encryption key calculated on the basis of the random challenge and the secret key. This method of secret key encryption, which is also called the symmetrical encryption method, will be described in more detail later.
Although it may be assumed that the GSM connections are secure, the connection between the subscriber and the server is insecure if no authentication and encryption are used over the arbitrating network.
A plurality of methods for securing a connection between two network elements is known in prior art. FIGS. 3 and 4 of the attached drawings show block diagrams of two known encryption algorithms which can be used to protect a transmission: a symmetric and an asymmetric algorithm.
FIG. 3 shows a symmetric encryption process based on a secret key shared between the participants. At party A's end the message to be sent to party B is encrypted with the shared secret key. The message is sent over a transmission route in encrypted form. The receiving party B decrypts the encrypted message with the same secret key K to retrieve the original message. An intruder eavesdropping the transmission needs to learn the secret key in order to be able to read and understand the encrypted message which has been transmitted. Another alternative is to find a weakness in the algorithm itself. Therefore, it is preferable to use publicly analyzed algorithms, such as the DES (Data Encryption Standard) algorithm. The encryption and decryption of the symmetric process can be expressed by the equations:C=EK(M) andM=DK(C),
where C is the encrypted message, M is the message in plain text, EK is the encryption with key K, and DK is the decryption with key K.
FIG. 4 shows a public key encryption process which is an asymmetric approach. This algorithm is based on two keys: a public key and a private key. These two keys are related in such a manner that a message encrypted with a public key can only be decrypted with the corresponding private key and vice versa. The public key can be easily calculated by using the corresponding private key. However, it is computationally unfeasible to calculate a private key based on the corresponding public key. In FIG. 4 a message is encrypted at party A's end with the public key of the intended receiver, that is party B. The encrypted message is transmitted over a trans-mission line to party B's end, where it is decrypted with the corresponding party B's private key and the original message is retrieved. Again, publicly analyzed algorithms, such as the RSA (River-Shamir-Adleman) algorithm are preferred.
The encryption and decryption of the asymmetric algorithm can also be expressed by the following equations:C=EB+(M) andM=DB−(C),
where C is the encrypted message, M is the message in plain text, EB+ is encryption with the receiver's public key KB+, and DB− is decryption with the receiver's private key KB−. Due to the properties of the encryption function E, it is computationally unfeasible to decrypt a message encrypted using the public key of the recipient if the private key is not known.
Since asymmetric keys are usually much longer than symmetric keys, the asymmetric algorithm requires much more processing capacity. Thus, asymmetric algorithms are unsuitable for encrypting large amounts of data, since the public key process may be too slow for networks enabling very high transmission speeds.
Hybrid cryptography uses both the above algorithms together. For example, only session keys are exchanged using the public key algorithm, and the rest of the communication is encrypted applying the symmetric method.
In a public key algorithm the encryption of a message with the private key of the message sender acts as a digital signature, since anyone can decrypt the message with the known public key of the sender. This feature can be utilized to provide message integrity and authentication in a connection. Use of digital signatures is shown in FIGS. 5 and 6.
The procedure for generating a digital signature is shown in FIG. 5. The sender calculates from the message a message digest using a cryptographically strong one-way hash function. The message digest is some-what analogous to the error checking codes widely used in telecommunications. But contrary to the error checking codes, it is believed to be computationally unfeasible to substitute one message with another so as to produce an identical message digest.
The message digest is encrypted using the private key of the sender and the encrypted message digest is used as a digital signature. The digital signature is then sent to the receiver together with the message.
The procedure for the receiving party to verify a digital signature is shown in FIG. 6. Having received the message and the digital signature, the receiver calculates the message digest of the message using the message digest algorithm. If no alterations have occurred in the message, the resulting message digest is identical to the message digest calculated by the sender. On the other hand, due to the properties of the algorithm, it would be computationally unfeasible for an intruder to substitute the message with another that would produce an identical message digest.
The received digital signature is the message digest encrypted by using the private key of the sender. The message digest can thus be retrieved by decrypting the digital signature using the public key of the sender, which is known by the receiver. If decryption has taken place using the private key which corresponds to the public key of the assumed sender, the recovered message digest will be identical to the message digest calculated by the sender. This in turn is identical to the message digest calculated by the receiver only when no changes in the message have occurred. Thus, if the comparison shows that the message digest calculated from the received message and the message digest calculated by decrypting the digital signature are identical, it can be deduced that the message has not been altered and that it was sent by the claimed sender.
In the methodology of secret key encryption, message authentication can be provided using a Message Authentication Code MAC similar to the digital signature. For example, MAC can be calculated with a one-way hash algorithm in the following way:MAC=H(K,M,K),
where K is the key, M is the message, and H is a hash function. The input cannot be deduced from the output. When MAC is attached to a message, the message cannot be corrupted or impersonated. The receiving party calculates MAC using the received message and the same hash function and key as the transmitting party and then compares this calculated MAC to the MAC attached to the message in order to verify it.
In this application, the term authenticity code is used as a common name for all codes providing a message with authenticity and integrity, i.e. for both the digital signatures and message authentication codes.
Prior art provides a means for secure data connection from the subscriber to the GSM network as well as from the private network of the operator to another private network such as a company network, as illustrated in FIG. 7. However, the operator network can be used by a plurality of users not all of whom are entitled to the services of the company network. In prior art, their access to the company network must be denied by using a password based authentication procedure between the subscriber and the company network. This is inconvenient because the password must be transferred whenever the connection is established.
The objective of the present invention is to solve the above problem. This objective is achieved by using the method and apparatus defined in the independent claims.